Deceptive Response

TEHTRIS DECEPTIVE RESPONSE and its honeypots simulate fake machines and services in order to fool intruders.

A preventive and efficient real-time alarm system

TEHTRIS Deceptive Response (honeypots) provides an effective alarm system in real-time, ahead of intrusions, adding a complementary view to the security of your systems and infrastructures. By adding false resources to your network, these sensors lure attackers and provide you with reports and event dashboards.

Reveal the presence of a malicious actor

Unlike products that have to shuffle through billions of data with the risk of generating false alarms, TEHTRIS Deceptive Response will only be solicited when it is being interacted with. No one is usually supposed to play with or attack these fake machines that are not officially present on the network for production purposes.

An additional difficulty for hackers

When a hacker targets a network secured by TEHTRIS Deceptive Response, he may fall on the fake machines (decoys), triggering an alarm. The hacker does not have time to make mistakes, as it will complicate his internal exploration sessions and his lateral movements.

Why TEHTRIS Deceptive Response?


At the network level, TEHTRIS Deceptive Response can cover all VLANs in a network zone without the need to manually deploy a fake device in each VLAN.


TEHTRIS Deceptive Response does not modify systems in production. It simply adds fake machines, without disrupting existing elements.

Pictogramme : Rocket TEHTRIS


TEHTRIS Deceptive Response includes a fleet of honeypots natively integrated to the TEHTRIS XDR Platform with SOAR, CTI, Hunting, Compliance, Incident Management, etc.

Pictogramme CTI Sécurité: Cadenas


TEHTRIS Deceptive Response runs on appliances using TEHTRIX distribution, that are fully disk encrypted, with advanced protection mechanisms such as RBAC in the kernel and 0-day protection.

Pictogramme : Nuage avec une médaille étoilée dessus


TEHTRIS Deceptive Response dramatically simplifies the complexity of honeypot projects, in an operated mode, with TEHTRIS providing deployment and maintenance.


The co-founder of TEHTRIS has been creating honeypots for over 20 years. He has been invited by armies and intelligence services around the world, to discuss his studies related to counterattacks or dynamic and proportional incident response systems.

Le TEHTRIS EDR s'intègre parfaitement à la solution cybersécuritaire ultime de TEHTRIS : la XDR Platform

Perfectly integrated inside the XDR Platform

When it comes to cybersecurity, orchestrating events and reacting to threats effectively and quickly is a fundamental challenge. One of the best ways to do this is with powerful automation and artificial intelligence. That’s what TEHTRIS offers with its SOAR integrated with the TEHTRIS XDR Platform.

Discover how we create hyper automation !


MITRE ATT&CK compliance

MITRE ATT&CK is a knowledge base with a model of the behavior of a cyber attacker, reflecting the different phases of the attack life cycle according to the targeted platforms: Windows, Mac, Linux, mobile, etc.

Discover the compatibility of TEHTRIS XDR with MITRE ATT&CK


day to deploy TEHTRIS Deceptive Response

+ 500 M

important alerts each month

+ 1 G

interactions monitored worldwide annually by TEHTRIS honeypots

Data Center, sauter vers le TEHTRIS EDR c'est faire le pari d'avoir une entreprise mieux protégée contre les cyberattaques

Preserve the sovereignty and integrity of your data. ​

With a European hosting, TEHTRIS offers you the best guarantees of sovereignty over your data. Detect silent intrusion campaigns and regain control over all attack vectors.


TEHTRIS Deceptive Response covers all network layers from Level 3 to Level 7, providing the ability for attackers to interact remotely, using fake machines. We thus offer network level (IP+ICMP, TCP, UDP) and application level fake layers to simulate SSH access, Web, Windows services and so on.

TEHTRIS Deceptive Response is very simple to deploy, by setting up each virtual appliance dedicated to your business, at the heart of your infrastructure. A simple boot of our installation ISO, and 4 basic answers later, you get your own honeypots that are installed on your network, with the knowledge that the whole service is remotely operated by TEHTRIS in SaaS mode.

A computer decoy is a system capable of making an attacker believe that he is interacting with a real machine, a real service, a real file, etc., in your company. There are many decoys out there, but some are not very effective, because they have become familiar to hackers. By deploying TEHTRIS Deceptive Response, you create value in many different ways. Hackers will waste time on decoys instead of attacking your real machines giving you the opportunity to be better prepared during these crises. Furthermore, they will be detected in the early stages of an attack while they are still mapping out your networks. Finally, you will have the opportunity to understand their operational methodologies in order to better protect your real networks.
We offer several levels of interaction while maximizing our goal of saving time and gathering information from attackers. SOC teams are already struggling to try to follow the logs of real devices. So, without falling into the issues related to high interaction that would cost too much time for humans, far from the real production, we decided to create a tactical system, very field-oriented, combining weak interactions or beyond, to be informed during the upstream phase of an attack.
We think it’s best to deploy decoys inside the network, in very sensitive areas for example, such as your data centers and critical factories. We have customers who have deployed TEHTRIS Deceptive Response on network areas where there is virtually no interaction, such as a fairly closed DMZ. So, the day a hacker enters an exposed website, he will quickly be detected by starting an in-depth exploration phase to escape that DMZ, by visiting neighboring machines. We have customers who have deployed TEHTRIS Deceptive Response on networks that are completely open to internal users, because they wanted to gain certainty about specific at-risk staff (temporary subcontractors particularly interested in crafting discovery packets). Finally, we have customers who have managed to detect attacks via external Wi-Fi for guests, because TEHTRIS Deceptive Response was solicited in a very particular way by visitors pretending to be friendly, who had no idea that an anti-spying honeypot was waiting for them on these floors.
We see every single network packet that comes into the honeypots and we have the ability to quickly understand if it is a false positive or not. Indeed, many people believe in the myth of honeypots, but the reality is that these tools also generate a lot of alerts and we need to understand what is normal and what is not. We therefore monitor several services in particular, such as SSH, Windows, and the Web.
All actions are fed back into the TEHTRIS XDR Platform to which the honeypots are connected. This allows you to benefit from all the other security bricks, such as hunting, CTI, audits, etc. For example, a SOC analyst can quickly see an aggressive IP, doing an “Nmap” scan on a honeypot, and check if the internal IP address is known or go investigate with TEHTRIS EDR on it.

We have all TCP/IP interactions that are notified, as well as high interactions with specific decoys like SSH, Web or even Windows parts. For some interactions, TEHTRIS Deceptive Response users particularly appreciate being able to watch the hacker on video. For SSH, you can follow all typed commands step by step to understand the level, motivations, goals, and tools used. This gives us a rather original and unique way to track hackers.

As TEHTRIS Deceptive Response is deployed on a sensitive area, we listen to the available local flows, beyond the Unicast flows that we receive, and we build a vision of the neighboring machines in CMDB mode. This is not the main function of TEHTRIS Deceptive Response, but it is very useful for us to know where a laptop was connected for the first time, in which factory, on which VLAN, and above all for what purpose.


* © 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

** Gartner and Market Guide are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner Market Guide for Extended Detection and Response, Craig Lawson, Peter Firstbrook, Paul Webber, 8 November 2021
TEHTRIS recognized as a Representative Vendor in the 2021 Market Guide for Extended Detection and Response.
Craig Lawson, Peter Firstbrook, Paul Webber, 8 November 2021

Gartner Innovation Insight for Unified Endpoint Security, Rob Smith, Dionisio Zumerle, 12th November 2020,
Gartner Market Guide for Mobile Threat Defense, Dionisio Zumerle, Rob Smith, 29th March 2021,
Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates.